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Abstract — IC3  is  undoubtedly  one  of  the  most  successful  and 
important  recent  techniques  for  unbounded  model  checking. 
Understanding  and  improving  IC3  has  been  a  subject  of  a 
lot  of  recent  research.  In  this  regard,  the  most  fundamental 
questions  are  how  to  choose  Counterexamples  to  Induction  (CTIs) 
and  how  to  generalize  them  into  (blocking)  lemmas.  Answers 
to  both  questions  influence  performance  of  the  algorithm  by 
directly  affecting  the  quality  of  the  lemmas  learned.  In  this 
paper,  we  present  a  new  IC3-based  algorithm,  called  QUIlf] 
that  is  designed  to  more  aggressively  propagate  (or  push)  learned 
lemmas  to  obtain  a  safe  inductive  invariant  faster.  QUIP  modifies 
the  recursive  blocking  procedure  of  IC3  to  prioritize  pushing 
already  discovered  lemmas  over  learning  of  new  ones.  However, 
a  naive  implementation  of  this  strategy  floods  the  algorithm  with 
too  many  useless  lemmas.  In  QUIP,  we  solve  this  by  extending 
IC3  with  may-proof-obligations  (corresponding  to  the  negations 
of  learned  lemmas),  and  by  using  an  under-approximation  of 
reachable  states  (i.e.,  states  that  witness  why  a  may-proof- 
obligation  is  satisfiable)  to  prune  non-inductive  lemmas.  We 
have  implemented  QUIP  on  top  of  an  industrial-strength  im¬ 
plementation  of  IC3.  The  experimental  evaluation  on  HWMCC 
benchmarks  shows  that  the  QUIP  is  a  significant  improvement 
(at  least  2x  in  runtime  and  more  properties  solved)  over  IC3. 
Furthermore,  the  new  reasoning  capabilities  of  QUIP  naturally 
lead  to  additional  optimizations  and  new  techniques  that  can  lead 
to  further  improvements  in  the  future. 

I.  Introduction 

IC3  (T]|  (also  known  as  PDR  |2j)  is  one  of  the  most  power¬ 
ful  algorithms  for  unbounded  model  checking  of  hardware.  It 
is  highly  customizable  (3),  (4),  and  was  successfully  extended 
to  more  general  domains  j5J-|7|. 

In  a  nutshell,  IC3  aims  at  constructing  an  inductive  invari¬ 
ant  proving  the  property.  IC3  works  by  iteratively  detecting 
states  that  lead  to  a  property  violation  (in  I C 3-literature  these 
states  are  also  identified  with  counterexamples-to-induction 
and  are  called  CTIs)  and  by  learning  lemmas  that  demonstrate 
why  these  CTIs  cannot  be  reached  from  the  initial  states  within 
a  bounded  number  of  steps.  In  this  way,  IC3  incrementally 
refines  over-approximations  Fk  of  states  that  are  reachable  in 
up  to  k  steps,  and  terminates  when  one  of  the  sets  f)  represents 
a  safe  inductive  invariant,  or  when  a  counterexample  is  found. 
The  general  scope  of  this  paper  is  to  further  improve  on  the 
invariant  generation  capabilities  of  IC3.  In  what  follows,  we 
first  analyze  and  discuss  some  of  the  choices  made  by  IC3, 
and  then  present  our  approach. 

One  of  the  most  important  decisions  made  by  IC3  pertains 
to  the  process  of  generalization  of  new  lemmas  at  the  time 
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when  they  are  discovered.  Ideally,  given  a  CTI,  we  would  like 
to  generate  the  strongest  possible  lemma  that  excludes  this  CTI 
and  holds  on  all  reachable  states.  However,  obviously  the  set 
of  all  reachable  states  is  not  available.  IC3  solves  this  problem 
by  attempting  to  find  the  strongest  lemma  <p  that  is  relatively 
inductive  with  respect  to  the  appropriate  over-approximation 
Fk-  However,  as  Fk  is  neither  an  over-approximation  nor  an 
under-approximation  of  the  set  of  all  reachable  states,  ip  can  be 
either  too  strong  or  too  weak.  Being  too  strong  means  that  ip 
excludes  some  of  the  reachable  states  and  hence  has  no  chance 
to  be  in  the  final  inductive  invariant,  while  being  too  weak 
means  that  p  prunes  less  unreachable  states  which  degrades 
convergence.  Another  deficiency  of  IC3  is  that  once  a  lemma 
is  added,  it  remains  in  the  system,  and  there  is  no  mechanism 
to  detect  and  prune  non-inductive  lemmas,  which  translates  to 
the  wasted  effort  spent  to  propagate  them. 

An  important  optimization  that  already  exists  in  IC3 
consists  of  blocking  the  same  CTI  at  many  different  levels.  In 
our  experience,  IC3  often  discovers  many  different  lemmas  to 
block  the  same  CTI.  On  the  one  hand,  different  lemmas  are  in 
general  of  different  quality  and  so  having  a  variety  of  lemmas 
to  choose  from  is  beneficial.  On  the  other  hand,  keeping  several 
lemmas  for  the  same  CTI  leads  to  a  wasted  effort  of  storing 
and  pushing  multiple  lemmas  when  one  would  be  enough. 
IC3  partially  addresses  this  concern  by  pushing  each  lemma 
as  far  as  possible  when  it  is  created  (which  implicitly  blocks 
the  corresponding  CTIs  at  higher  levels);  however,  it  often 
happens  that  a  lemma  ip  cannot  be  pushed  forward  because  the 
appropriate  over-approximation  Fk  is  not  strong  enough.  An 
alternative  solution  is  to  derive  additional  supporting  lemmas 
that  enable  pushing  ip  forward,  thus  prioritizing  the  usage  of 
a  lemma  already  in  the  system,  at  the  expense  of  finding 
additional  lemmas  required  to  support  it.  We  believe  that  the 
new  strategy  is  superior,  as  it  should  lead  to  an  inductive 
invariant  faster.  Unfortunately,  a  naive  implementation  forces 
the  algorithm  to  start  discovering  new  lemmas  to  support 
lemmas  already  in  the  system,  and  then  new  lemmas  to  support 
these  supporting  lemmas,  and  so  on  -  flooding  the  algorithm 
with  a  huge  number  lemmas.  To  some  extent  the  problem  again 
boils  down  to  lack  of  control  on  the  usefulness  of  lemmas  in 
the  system,  and  the  need  to  detect  and  prune  the  less  useful 
ones. 

In  this  paper,  we  present  an  improvement  to  the  core  of 
the  IC3  algorithm.  Motivated  by  the  considerations  above,  we 
present  an  algorithm,  called  Quip,  that  combines  the  following 
innovations: 

1)  In  Quip,  we  periodically  detect  the  maximal  inductive 
subset  of  all  lemmas  discovered  so  far.  These  lemmas  are 
stored  separately  (in  F^  in  the  terminology  of  PDR)  and 


represent  good  lemmas  -  lemmas  that  should  always  remain 
in  the  system. 

2)  In  Quip,  we  turn  existing  lemmas  into  additional  proof 
obligations  (and  prioritize  considering  these  proof  obligations 
over  regular  proof  obligations).  Given  p  £  F).\  Fk+i ,  we  add 
-up  at  level  k  +  1  as  a  may-proof -obligation.  In  this  way,  we 
either  succeed  to  push  p  further  (if  -i <p  is  blocked),  or  find  a 
witness  trace  that  explains  why  p  cannot  be  pushed.  Since  ->p 
does  not  necessarily  represent  a  CTI,  the  witness  trace  does  not 
necessarily  lead  to  a  property  violation;  however,  it  produces 
a  concrete  forward  reachable  state  that  is  excluded  by  p  and 
hence  which  explains  why  tp  is  not  inductive.  In  particular, 
p  is  a  bad  lemma  -  lemma  that  has  no  chance  to  be  in  the 
inductive  invariant. 

3)  In  Quip  we  dynamically  discover  reachable  states. 
These  reachable  states  are  used  in  several  ways.  First,  each 
time  that  a  new  reachable  state  is  discovered,  it  is  used  to  mark 
as  bad  all  lemmas  in  the  system  that  exclude  this  state.  Second, 
reachable  states  are  used  to  automatically  invalidate  other  may- 
proof-obligations  or  to  discover  a  real  counterexample.  Finally, 
they  are  used  to  effectively  enlarge  the  set  of  initial  states  and 
take  the  enlarged  initial  states  into  account  when  generalizing 
lemmas  in  the  future. 

Note  that  the  ideas  above  are  highly  interdependent:  with¬ 
out  considering  may-proof-obligations  there  is  no  way  to 
produce  interesting  reachable  states,  while  without  considering 
reachable  states  there  is  no  way  to  prune  lemmas  in  the 
system.  We  also  claim  that  Quip  partially  addresses  the 
problems  described  in  the  beginning.  By  prioritizing  may- 
proof-obligations  over  regular-proof-obligations,  we  try  to 
reuse  lemmas  that  already  exist.  In  addition,  as  may-proof- 
obligations  usually  consist  of  significantly  fewer  literals  than 
regular  proof  obligations,  we  effectively  try  to  avoid  detecting 
lemmas  that  are  too  weak,  while  by  computing  and  using 
the  set  of  reachable  states  for  generalization,  we  also  try  to 
avoid  detecting  lemmas  that  are  too  strong.  Finally,  we  can 
now  classify  lemmas  as  good ,  bad  and  unknown,  and  thus 
gain  some  control  on  which  lemmas  we  want  to  propagate 
and  to  keep,  and  which  lemmas  we  do  not.  In  what  follows, 
we  show  how  to  integrate  the  presented  ideas  into  an  efficient 
algorithm  and  experimentally  demonstrate  that  this  represents 
a  significant  performance  improvement  over  classical  IC3. 


II.  Background 

Let  V  be  a  set  of  variables.  A  literal  is  either  a  variable 
b  £  V  or  its  negation  ~^b.  A  clause  is  a  disjunction  of  literals. 
A  Boolean  formula  in  Conjunctive  Normal  Form  (CNF)  is  a 
conjunction  of  clauses.  A  cube  is  a  conjunction  of  literals. 
A  Boolean  formula  in  Disjunctive  Normal  Form  (DNF)  is  a 
disjunction  of  cubes.  It  is  often  convenient  to  treat  a  clause 
or  a  cube  as  a  set  of  literals,  a  CNF  as  a  set  of  clauses,  and 
DNF  as  a  set  of  cubes.  For  example,  given  a  CNF  formula  F, 
a  clause  c  and  a  literal  I,  we  write  £  c  to  mean  that  l  occurs 
in  c,  and  c  £  F  to  mean  that  c  occurs  in  F. 

Let  V  be  a  set  of  variables  and  V'  =  jV  |  v  £  V}.  A  safety 
verification  problem  is  a  tuple  P  =  ( Init ,  Tr ,  Bad),  where 
Init(V )  and  BadiV)  are  formulas  with  free  variables  in  V 
denoting  initial  and  bad  states,  respectively,  and  Tr(V,V' )  is 
a  formula  with  free  variables  in  V  U  V'  denoting  the  transition 
relation.  Without  loss  of  generality,  we  assume  that  Init  and 
Tr  are  in  CNF. 


The  verification  problem  P  is  SAT  (or  UNSAFE)  iff  there 
exists  a  natural  number  N  such  that  the  following  formula  is 
SAT: 


/N- 1 


Init(n o)  A  f\  Tr(vi,vi+ 1)  )  A  Bad{vN)  (1) 


,  2—0 


P  is  UNSAT  (or  SAFE)  iff  there  exists  a  formula  Inv(V), 
called  a  safe  invariant,  that  satisfies  the  following  conditions: 


Init(v )  =>■  Inv(v)  Inv{v)  A  Tr(v,  f)  =>  Inv(ff )  (2) 

Inv{v)  =$■  ~^Bad(v)  (3) 

A  formula  Inv  that  satisfies  0  is  called  an  invariant,  while  a 
formula  Inv  that  satisfies  0  is  called  safe. 

We  give  a  brief  description  of  IC3  that  highlights  some 
steps,  but  omits  many  crucial  optimizations.  We  refer  the 
reader  to  |8)  for  an  overview  of  available  optimizations  and 
their  possible  implementations. 

IC3  maintains  a  set  of  clauses  Fa ,  F) , . . .  called  a  trace. 
Each  Ft  in  a  trace  is  called  a  frame,  each  clause  c  £  F,  is 
called  a  lemma,  and  the  index  of  a  frame  is  called  a  level.  We 
assume  that  Fq  is  initialized  to  Init  and  that  Init  — >  -> Bad . 
IC3  maintains  the  following  invariant: 


We  believe  that  our  work  extends  the  I C  3  framework  with 
additional  reasoning  capabilities:  computing  maximal  induc¬ 
tive  invariants,  considering  may-proof-obligations  and  forward 
reachable  states.  These  naturally  lead  to  other  optimizations 
and  new  techniques  that  can  lead  to  further  improvement  in 
the  future.  Last  by  not  least,  the  new  framework  can  be  easily 
used  with  all  other  known  IC3  optimizations  and  can  be  lifted 
to  more  general  domains. 


The  rest  of  the  paper  is  structured  as  follows.  In  Section  [III 
we  review  the  necessary  background  about  IC3.  We  present 
the  Quip  algorithm  at  high-level  in  Section[In]  and  the  details 
of  our  implementation  in  Section  [TV]  Our  empirical  evaluation 
is  reported  in  Section  VI  Finally,  we  conclude  the  paper  with 
an  overview  of  related  work  in  Section  |VII[  and  conclusion  in 
Section  lYlnl 


Fi  — >  —iBad  -Fi-i-i  C  Fi  Fi  A  Tr  — >  F'+1 

That  is,  each  element  of  the  trace  is  safe,  the  trace  is  syntac¬ 
tically  monotone,  and  each  Fi+ 1  is  inductive  relative  to  Ft. 

Additionally,  IC3  maintains  a  queue  of  proof  obligations 
(or  CTI’s)  of  the  form  (to,  i)  where  to  is  a  cube  over  state 
variables  and  j  is  a  level.  At  each  point  of  the  execution, 
it  considers  a  proof  obligation  (to,  i)  with  the  smallest  level 
i,  and  attempts  to  prove  that  to  is  reachable  in  i  steps.  If 
i  =  0  then  there  is  a  real  counterexample.  Otherwise,  it 
makes  a  predecessor  query  SATl{->m  A  F,_i  A  Tr  A  m ') 
that  checks  whether  a  state  in  m  can  be  reached  from  a  state 
in  Fi- 1.  If  the  result  is  satisfiable,  it  adds  a  predecessor  of 
to  as  a  new  proof  obligation  at  level  i  —  1.  If  the  result  in 
unsatisfiable,  it  learns  a  new  lemma  ip,  such  that  Init  —t  p, 
p  — »  -i to  and  tp  A  Fj_i  A  Tr  -)■  tp’,  and  adds  tp  to  all  F3, 


Data:  A  cex  queue  Q,  where  c  £  Q  is  a  pair  ( m,i ),  m 
is  a  cube  over  state  variables,  and  i  £  N.  A  level 
N.  A  trace  F0 ,  Fi, . . . 

Initially:  Q  =  0,  N  =  0,  Fq  =  Init ,  \H  >  0  •  Fi  =  T. 

repeat 

Unreachable  If  there  is  an  i  <  N  s.t.  Fi+ 1  C  f 
return  Unreachable. 

Reachable  If  there  is  an  to  s.t.  (to,  0)  £  Q 
return  Reachable. 

Unfold  If  F]\f  -A  -i Bad ,  then  set  N  ■£-  N  +  1,  and  Q  <— 
Candidate  If  for  some  to,  to  — >  F\r  A  Bad ,  then  add 
( m,N )  to  Q. 

Predecessor  If  (m,  i  +  1)  £  Q  and  there  are  Too  and  mi 
toi  — >  to,  mg  A  m)  is  satisfiable,  and 
too  A  mi  Fj  A  Tr  A  to',  then  add  (too,  *)  to  Q. 
NewLemma  For  0  <  i  <  N:  given  a  candidate  model 
(to,  i  +  1)  £  Q  and  clause  p,  such  that  p  -A  ->m, 
if  Init  — >  p,  and  tp  A  Fi  A  Tr  -A  p',  then 
add  p  to  Fj,  for  j  <i  +  1. 

ReQueue  If  (to,  *)  G  Q,  0  <  t  <  iV  and  Fj_i  A  Tr  Am’ 

unsatisfiable,  then  add  (m,  *  +  1)  to  Q. 

Push  For  0  <  i  <  N  and  a  clause  (p  V  V’)  £  -Fi, 

if  ^  Fi+i,  Init  -A  <£>  and  p  A  Fi  A  Tr  -A  p',  then 
add  p  to  Fj,  for  each  3  <  i  +  1- 

until  oo ; 


Fig.  1 .  Rule-based  description  of  IC3/PDR. 


for  j  <  i.  In  other  words,  the  lemma  p  represents  a  new  over¬ 
approximation,  and  in  particular  demonstrates  why  the  state  to 
cannot  be  reached  in  up  to  i  steps  from  the  initial  states.  An 
important  optimization  is  to  re-enqueue  (to,  i  +  1)  as  a  new 
proof  obligation.  If  at  any  point  of  the  execution  =  F., 
and  Fi  -A  ~^Bad,  then  Ft  represents  an  inductive  invariant 
establishing  the  correctness  of  the  property. 

Fig.  □  shows  a  rule-based  overview  of  IC3  (adapted 
from  |9j).  Initially,  Q  is  empty,  N  =  0  and  Fq  =  Init.  Then, 
the  rules  in  Fig.  |T|  are  applied  (possibly  in  a  non-deterministic 
order)  until  either  Unreachable  or  Reachable  rule  is  applica¬ 
ble.  Unfold  extends  the  current  trace  and  increases  the  level 
at  which  counterexample  is  searched.  Candidate  picks  a  bad 
state.  Predecessor  extends  a  counterexample  from  the  queue 
by  one  step.  NewLemma  blocks  a  counterexample  and  adds 
a  new  lemma.  ReQueue  moves  the  counterexample  to  the 
next  level.  Finally,  Push  pushes  a  lemma  to  the  next  level, 
optionally  generalizing  it  inductively.  A  typical  schedule  of 
the  rules  is  to  first  apply  all  applicable  rules  except  for  Push 
and  Unfold,  followed  by  Push  at  all  levels,  then  Unfold,  and 
then  repeating  the  cycle. 


III.  QUIP:  The  Algorithm 

In  this  section,  we  give  a  high-level  description  of  Quip 
as  a  set  of  rules.  This  description  shows  various  reasoning 
capabilities  of  Quip  and  establishes  its  correctness.  A  practical 
implementation  of  these  rules  is  described  in  Section  [TV] 

The  main  data  structures  and  rules  for  Quip  are  shown 
in  Fig.  [2]  Similarly  to  IC3,  Quip  manages  proof  obligations 
using  a  priority  queue  Q.  However  each  proof  obligation  is 
a  triple  (m,i,t),  where  to  and  i  are  as  in  IC3,  and  t  is  the 


Data:  A  cex  queue  Q,  where  c  £  Q  is  a  triple  ( m,i,t ), 
to  is  a  cube  over  state  variables,  *  £  N,  and 
t  £  {may,  must}.  A  level  N.  A  trace  F0,  Fi, . . . 

An  invariant  F^.  A  set  of  reachable  states 
Reach. 

Initially:  Q  =  0,  N  =  0,  Reach  =  F0  =  Init, 

\/i  >  1  •  Fx  =  T,  Fx  =  T. 

Require:  Init  -A  -> Bad 

repeat 

Unreachable  If  -a  -> Bad 

return  Unreachable. 

Reachable  If  (m,  i,  must)  £  Q,  mC l  (VReach)  ^  0 
s.t.  return  Reachable. 

Unfold  If  Fi\t  -a  -i Bad ,  then  set  N  ■£-  N  +  1. 
Candidate  If  for  some  to,  to  -A  Fjv  A  Bad,  then  add 
(to,  N,  must)  to  Q. 

Predecessor  If  (to,  i  +  1,  t)  £  Q  and  there  are 

mo  and  mi  s.t.  toi  -a  to,  mo  A  m[  is  satisfiable, 
and  mo  A  m{  -A  Fi  A  Tr  A  m! , 
then  add  (mo,i,t)  to  Q. 

NewLemma  For  0  <  i  <  N:  given  a  candidate  model 
(to,  i  +  1)  £  Q  and  clause  p,  such  that  p  -A  -< to, 
if  (VReach)  -a  p,  and  p  A  Fi  A  Tr  -A  p',  then 
add  p  to  Fj,  for  j  <i  +  1. 

ReQueue  If  (to,  i,  must)  £  Q,  and  Fj_i  A  Tr  Am'  is 
unsatisfiable,  then  add  (■ m,i  +  1,  must)  to  Q. 
Push  For  1  <  i  and  a  clause  (p  V  tp)  £  Fi  \  Fl+\, 
if  (VReach)  -a  p  and  p  A  Fi  A  Tr  -A  p' ,  then 
add  p  to  Fj,  for  each  j  <  i  +  1. 

MaxIndSubset  If  there  is  i  >  N  s.t.  Fi+ 1  C  Ft,  then 

Foo  £~  Fi,  and  Vj  >  i  ■  Fj  ■£-  F^. 

Successor  If  (m,i  +  l,t)  £  Q  and  exist  m0,  mi  s.t. 
too  A  m'i  are  satisfiable  and 
mo  A  m'i  -A  (VReach)  A  Tr  A  to',  then 
add  mi  to  Reach. 

MayEnqueue  For  i  >  1  and  a  clause  p  £  F,  \  F,+  \ , 
if  (VReach)  -a  p,  add  (~<p,i  +  1,  may)  £  Q. 

ResetQ  Q  A-  0. 

ResetReach  Reach  Init. 

until  oo; 


Fig.  2.  Rule-based  description  of  Quip. 


type  of  the  proof-obligation:  either  may  or  must.  Must  proof- 
obligations  represent  cubes  that  have  to  be  blocked  for  the 
problem  to  be  SAFE,  while  may-proof-obligations  represent 
cubes  that  would  be  nice  to  block  but  not  necessarily  so.  As  in 
IC3,  Quip  maintains  a  trace  of  clauses  Fq,  F\, . . ..  However, 
the  number  of  the  non-empty  frames  in  the  trace  can  be  larger 
than  the  current  depth  N.  Intuitively,  a  non-empty  frame  J7) 
with  i  >  N  contains  clauses  that  are  inductive  up  to  a  yet-to- 
be-explored  level  i.  Additionally,  as  in  PDR,  Quip  maintains 
a  set  Fx  of  absolute  invariants.  The  unique  feature  of  Quip 
is  that  it  also  maintains  a  set  REACH  of  states  reachable  from 
Init.  In  practice,  we  keep  Reach  as  a  set  of  cubes.  We  say 
that  a  lemma  p  £  Fi  is  good  if  it  is  also  in  F^,  bad  if  it 
excludes  a  state  in  Reach,  and  unknown  otherwise.  Note  that 
the  categories  above  are  exclusive  -  a  lemma  cannot  be  both 
good  and  bad  at  the  same  time. 

We  now  describe  the  rules. 


a)  Termination:  The  rule  Unreachable  in  Quip  is  even 
simpler  than  the  corresponding  one  in  IC3:  the  verification 
problem  is  deduced  to  be  SAFE  as  soon  as  =>  —Bad. 
Note  that  this  formulation  makes  it  extremely  easy  to  handle 
designs  with  multiple  properties.  The  mle  Reachable  in  Quip 
states  that  the  problem  is  UNSAFE  if  a  must-proof-obligation 
includes  a  reachable  state;  that  is,  either  an  initial  state  or  a 
new  reachable  state  explicitly  found  by  the  algorithm. 

b)  Generating  proof  obligations:  The  rules  Candidate, 
Predecessor,  and  ReQueue  are  similar  to  the  corresponding 
rules  of  IC3.  The  rule  MayEnqueue  is  new.  Candidate  picks 
a  bad  state  and  adds  it  as  a  must-proof-obligation.  Predecessor 
adds  a  CTI  mo  for  an  already  existing  proof  obligation  m\ 
as  a  new  proof  obligation,  at  the  level  one  lower  than  that 
of  mi.  The  type  of  mo  is  the  same  as  that  of  mi,  and  so 
in  particular  mo  is  a  must-proof-obligation  whenever  TO]  is. 
ReQueue  moves  a  blocked  must-proof-obligation  to  the  next 
level.  We  explicitly  limit  this  rule  to  must-proof-obligations 
only,  as  may-proof-obligations  are  handled  by  MayEnqueue. 
MayEnqueue  picks  a  lemma  p  £  Fi\  F1+-\  that  is  not  yet 
established  at  level  i  +  1  and  adds  its  negation  ->p  as  a  may- 
proof-obligation  at  level  i  +  1.  The  rule  is  only  applicable  if 
the  status  of  p  is  unknown.  Note  that  it  is  actually  sound  to 
take  any  clause  ip  such  that  Init  =>  ip  and  any  level  k,  and 
add  ->i/j  at  level  k  as  a  may-proof-obligation.  However,  we  do 
not  currently  use  this  level  of  generality. 

c)  Managing  lemmas:  Unfold  increases  the  level  at 
which  a  counterexample  is  searched.  NewLemma  adds  a  new 
lemma  that  blocks  a  proof  obligation.  We  explicitly  disallow 
learning  bad  lemmas.  For  correctness,  it  is  possible  to  take 
any  clause  ip  such  that  ip  A  Fi  A  Tr  — >  ip'  and  add  ip  to 
all  Fj  for  j  <  i  +  1.  Push  pushes  a  lemma  to  the  next 
level,  optionally  generalizing  it  inductively.  As  before,  we 
limit  pushing  and  generalization  to  unknown  lemmas  only.  An 
important  distinction  from  IC3  is  that  in  Quip  Push  is  not 
limited  to  the  current  working  depth  N  of  the  algorithm. 

d)  Inductive  invariant:  MaxIndSubset  checks  whether 
for  some  i  there  is  F,  =  Fl+  t .  In  this  case,  F%  is  an  inductive 
invariant  which  is  used  to  enlarge  F^.  In  the  case  i  <  N, 
Fx  is  a  safe  inductive  invariant  and  an  immediate  application 
of  Unreachable  finishes  verification.  Otherwise,  it  discovers 
new  good  lemmas.  Correctness  follows  from  the  fact  that 
Fi  =  Fi+ 1  indirectly  implies  that  Vj  >  i  ■  Fj  fi  Reach  =  0. 
That  is,  there  are  no  bad  lemmas  in  any  Fj  for  j  >  i- 
Note  that  a  maximal  inductive  subset  of  current  lemmas  is 
computed  by  applying  Push  as  much  as  possible,  followed  by 
MaxIndSubset. 

e)  Reachability:  Successor  adds  new  reachable  states. 
Given  a  proof  obligation  m  that  can  be  reached  in  one 
transition  from  an  already  known  reachable  state  (either  an 
initial  state  or  an  explicitly  found  reachable  state),  it  computes 
a  new  reachable  state  mi  that  is  included  in  rn  and  adds  it  to 
Reach. 

f)  Restarts:  The  final  set  of  rules  deals  with  various 
reset  mechanisms.  The  rule  ResetQ  allows  to  empty  the  proof 
obligation  queue.  This  rule  can  be  though  of  as  a  “local  reset” 
that  may  guide  Quip  in  a  different  search  place  by  examining 
different  predecessors  and  learning  new  lemmas.  Note  that 
in  IC3,  ResetQ  is  implicitly  included  in  Unfold.  That  is. 


Fq  =  Init 

if  F0  A  Bad  then 
j  return  Cex 

iV  -f—  0;  -Fqo  «—  T ;  Reach  =  F0 

while  (true)  do 
N  ^  N  +  l 

if  Quip_RecBlockCub e(Bad,  N)  =  Cex  then 
return  Cex 

if  Quip_Push()  =  Proof  then 

return  Proof 

Fig.  3.  Main  Procedure  (Quip_Main). 

IC3  resets  its  queue  every  time  a  new  depth  is  explored. 
On  the  other  hand,  in  Quip  this  choice  is  flexible.  The  mle 
ResetReach  resets  the  reachable  states.  In  practice,  we  may 
remove  only  some  (less  useful)  reachable  states  when  their 
number  becomes  too  large. 

IV.  QUIP:  Implementation 

In  this  section,  we  describe  our  implementation  of  the 
Quip  rules. 

The  set  of  all  reachable  states  handled  by  Quip  is  of  the 
form  Reach  =  Init  U  R,  where  Init  are  the  initial  states 
and  R  are  the  reachable  states  dynamically  discovered  by  the 
algorithm.  In  our  current  implementation.  It  consists  only  of 
concrete  states.  That  is,  each  element  of  R  is  a  complete 
assignment  to  all  state  variables.  Each  state  in  It  is  stored 
as  a  Boolean  array.  The  main  functionality  required  from  R 
is  checking  whether  a  given  cube  s  intersects  (or  equivalently 
subsumes)  one  of  the  states  r  in  R.  In  the  pseudocode  below, 
the  function  Intersect(i?,  s)  returns  Null  if  R  (T  s  =  0, 
and  returns  a  state  r  £  R  with  rfls/0  otherwise. 

In  what  follows,  we  require  an  additional  bookkeeping 
mechanism.  If  a  proof  obligation  ( s,f,p )  is  added  as  a 
predecessor  of  another  proof  obligation  (s,f,p)  using  the 
Predecessor  rule,  then  we  say  that  s  is  a  parent  of  s.  On 
the  other  hand,  if  ( s,f,p )  is  added  using  either  Candidate 
or  MayEnqueue,  then  we  say  that  s  has  no  parent.  Finally, 
the  rule  ReQueue  keeps  the  parent  information.  In  the  pseu¬ 
docode,  we  let  Parent (s)  be  the  parent  of  s  or  Null  if 
none.  To  some  extent  this  bookkeeping  is  already  supported  by 
most  IC3  implementations  as  it  is  required  for  reconstructing 
counterexamples. 

A.  The  Main  Loop 

Our  implementation  of  Quip  follows  similar  structure 
to  that  of  PDR  (2j.  For  completeness,  the  main  loop  is 
shown  in  Fig.  [3]  The  algorithm  first  checks  the  absence  of 
counterexamples  at  level  0,  and  then  incrementally  increases 
the  working  level  N  until  either  a  counterexample  or  a  safe 
inductive  invariant  is  found. 

B.  Recursive  Block  Cube 

The  central  procedure,  Quip_RecBlockCube,  that 
recursively  blocks  a  bad  state,  is  shown  in  Fig.  [4]  On  the 
surface,  it  looks  similar  to  Pdr_RecursiveBlockCube 
from  but  there  many  important  differences. 


Input:  (Cube  so,  Frame  jo) 

Data:  Priority  queue  Q  of  triples  (c,  /,  f),  where  c  is  a 
cube,  /  is  a  level  and  f  €  {may,  must} 

Data:  Map  Parent  from  a  proof  obligation  to  its 
parent  proof  obligation  (Null  if  none) 

Data:  Array  R  containing  concrete  reachable  states 

1  Add(<2,  (s0,  f0,  must)) 

2  Parent(so)  <—  Null 

3  while  ^Empty(Q)  do 

4  (s,f,p)  <r-  Pop(Q) 

5  if  /  =  0  then 

6  if  p  =  must  then 

//  Found  Real  Counterexample 

7  return  Cex 

8  else 


9 
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//  New  reachable  state 
Find  r  such  that  Init  A  Tr  -A  r'  and 
r  D  Parent(s)  ^  0;  Add  r  to  R 

continue 

if  (Vo  t—  Intersect(i?,  s))  ^  Null  then 
if  p  =  must  then 

//  Found  Real  Counterexample 

return  Cex 
else 

if  Parent(s)  Null  then 

//  New  reachable  state 
Find  r  such  that  ro  A  Tr  — >  r'  and 
r'  D  Parent  (s)  ^  0;  Add  r  to  R 

continue 

(t,g)  <-  Block (s,f) 

if  g  ^  /  -  1  then 

//  Cube  s  is  successfully  blocked 
by  lemma  -if 

//  Lemma  -> t  holds  until  frame  g 

if  (g  <  N)  then 
if  t  y^s  then 

Add(Q,  (t,g  +  1,  may)) 

Parent(f)  <—  Null 

else 

Add(Q,  (t,  g  +  l,p)) 

else 


//  t  is  a  predecessor  of  s 
Add (Q,  ( t,f  -  1  ,p)) 

Add  (Q,(s,f,p)) 

Parent(t)  <—  s 


27 

28 

29 

30  return  Blocked 


Fig.  4.  Recursive  Block  Cube  (Quip_RecBlockCube). 


Quip_RecBlockCube  accepts  a  must-proof-obligation 
(sq,  fo,  must),  and  either  succeeds  to  strengthen  the  trace  so 
that  So  is  blocked  at  level  /o,  or  finds  a  concrete  reachable 
state  r  that  intersects  So  (hence  r  is  a  witness  that  -iso  is  not 
an  invariant). 

Quip_RecBlockCube  starts  by  adding  the  proof- 
obligation  (so,  /o,  must),  with  no  parent,  to  Q  (lines  1-2)  and 
proceeds  to  the  main  loop.  In  each  iteration  of  the  loop,  it 
retrieves  the  proof-obligation  from  Q  with  the  lowest-level, 
and  in  case  of  a  tie,  with  the  smaller  number  of  literals. 
In  particular,  the  proposed  tie-breaking  condition  means  that 
when  Q  contains  two  proof-obligations  Si  and  S2  at  the  lowest 


level,  with  Si  C  s2,  the  algorithm  will  select  si  first  -  hence 
attempting  to  derive  the  strongest  possible  lemma  (that  would 
automatically  block  s2  as  well).  Let  (s,f,p)  be  this  proof 
obligation  (line  4). 

Let  us  first  assume  that  the  level  /  of  the  proof  obli¬ 
gation  is  0  (lines  5-10).  In  particular,  s  D  Init  ^  0  and 
Parent(s)  /  Null  (according  to  our  rules,  only  Prede¬ 
cessor  can  add  proof-obligations  at  level  0).  If  this  is  a  must- 
proof-obligation  (lines  6-7),  then  our  property  is  deduced  to  be 
UNSAFE  and  Quip_RecBlockCube  terminates.  Moreover, 
a  concrete  counterexample  can  be  reconstructed  using  the 
parent  information.  If  this  is  a  may-proof-obligation  (lines  8- 
10),  then  we  compute  a  new  reachable  state  r  that  is  one- 
step  reachable  from  Init  and  that  intersects  Parent(s).  Note 
that  such  a  state  r  must  always  exist  since  s  is  a  CTI  for 
Parent(s).  In  our  implementation,  we  use  a  dedicated  SAT- 
solver  for  all  the  successor  queries,  including  reconstruction 
of  real  counterexamples.  However,  by  also  saving  for  each 
predecessor  the  assignment  to  inputs,  this  task  can  be  reduced 
to  simulation.  The  new  state  r  is  then  added  to  R.  In  partic¬ 
ular,  when  on  some  future  iteration  the  algorithm  returns  to 
examining  the  proof-obligation  corresponding  to  Parent(s), 
Parent(s)  already  intersects  R. 

Next,  let  us  assume  that  s  intersects  a  state  ro  £  R 
(lines  1 1-17).  If  this  is  a  must-proof-obligation,  then  our  prop¬ 
erty  is  deduced  to  be  UNSAFE  and  the  procedure  terminates. 
By  additionally  storing  for  each  state  in  R  its  predecessor  (not 
explicitly  shown  in  the  pseudocode),  we  can  again  reconstruct 
a  real  counterexample.  If  this  is  a  may-proof-obligation  and 
Parent{s)  ^  Null,  then  as  before  we  compute  a  reachable 
state  r  that  is  one-step  reachable  from  ro  and  that  intersects 
Parent(s)  -  and  so  when  the  algorithm  returns  to  examining 
Parent(s)  the  condition  Intersect(f?,  Parent(s))  7^  0 
is  activated  and  the  reachable  state  is  further  propagated.  In 
other  words,  as  soon  as  a  recursive  predecessor  of  a  may- 
proof-obligation  intersects  an  initial  or  an  already  existing 
reachable  state  in  R,  a  sequence  of  additional  reachable  states 
is  discovered,  including  a  reachable  state  that  intersects  a  given 
proof-obligation. 

The  helper  procedure  Block  (line  18),  adapted  from 
PDR  |2J,  hides  some  less  relevant  details.  In  our  implementa¬ 
tion,  Block(s,  f)  first  syntactically  checks  whether  s  is  already 
blocked  in  the  frame  /  -  i.e.,  whether  there  exists  a  lemma 
-if  £  Fg  with  t  C  s  and  /  <  g  (the  case  g  =  00  is  also 
allowed).  If  so,  then  (t,g)  is  returned.  Otherwise,  Block{s,  f) 
checks  whether  the  formula  Ff_  1  A  Tr  A  s'  is  satisfiable.  If  it 
is,  a  predecessor  t  of  s  is  extracted  and  suitably  generalized.  In 
this  case,  (f,  /  —  1)  is  returned.  If  the  formula  is  unsatisfiable, 
then  using  an  inductive  generalization  procedure,  we  obtain  a 
lemma  -if  which  holds  at  least  up  to  the  frame  /  (and  possibly 
up  to  a  larger  frame  g,  including  00).  In  this  case.  Block 
adds  the  lemma  -if  to  Fg  and  returns  (t,g).  Note  that  lemma 
generalization  takes  the  reachable  states  R  into  account,  and 
ensures  that  new  lemmas  always  include  all  of  R. 

Let  us  first  consider  the  case  that  the  cube  s  was  suc¬ 
cessfully  blocked  (lines  20-25),  i.e.,  Block  returns  a  lemma 
-if  £  Fg  with  f  C  s  and  /  <  g.  An  important  optimization  in 
IC3  consists  of  reinserting  the  proof-obligation  s  at  the  level 
<7  +  1,  forcing  the  algorithm  to  block  s  in  all  higher  frames  as 
well.  The  unique  feature  of  Quip  is  that  -if  is  inserted  into 


for  k  =  1, ...  do 

for  all  lemmas  c  £  Fk\  -Ffc+i  do 
//  Rule  Push 

1  if  ~^bad(c)  then 

2  if  Fk  A  c  A  Tr  =>  d  then 

3  |  -Ffc+i  Ffc+i  U  {c} 

if  Ffc  \  Ffc+i  =  0  then 

//  Rule  MaxIndSubset 

5  for  j  =  k  +  1, . . .  do 

6  \  Fj  <—  Foe 

7  break; 

if  Fao  =>  -i Bad  then 

//  Found  Safe  Inductive  Invariant 

8  return  Proof 
return  Unknown 

Fig.  5.  Pushing  lemmas  (Quip_Push). 


Q  at  the  level  g  +  1  instead  of  s.  This  forces  the  algorithm 
to  concentrate  on  further  pushing  existing  lemma  t  rather  than 
discovering  new  lemmas  to  block  s  at  a  higher  level.  However, 
-if  can  be  only  added  as  a  may-obligation  (with  the  only 
exception  being  that  s  =  t  and  s  is  a  must-obligation).  Finally, 
note  that  when  t  s,  the  cube  t  has  no  parent,  otherwise  we 
keep  the  previous  parent  of  s. 

In  the  case  that  a  predecessor  t  of  s  is  found  (lines  16-29), 
just  as  in  IC3,  Quip  returns  (s,f,p)  to  Q,  as  well  as  inserts 
a  new  proof  obligation  (t ,  /  —  1  ,p)  with  the  same  type  of  a 
proof  obligation  as  that  of  s.  The  parent  of  t  is  set  to  s. 


C.  Pushing 

Fig-0  describes  our  pushing  procedure  Quip_Push.  For 
each  lemma  c,  we  keep  a  Boolean  flag  bad(c)  that  represents 
whether  c  is  known  to  be  bad  (that  is,  whether  c  excludes  some 
states  in  Reach).  We  say  that  a  lemma  is  unknown  if  bad(c)  = 
False  and  c  Fx.  Each  time  that  a  new  reachable  state 
r  is  added  in  Quip_RecBlockCube,  we  check  it  against 
every  unknown  lemma  in  the  system  and  mark  as  bad  those 
lemmas  that  exclude  r.  Just  as  in  IC3,  in  practice  the  sets  Ft 
are  delta-encoded:  for  any  i,  j,  Fi  (T  Fj  =  0.  However,  for 
this  presentation,  we  are  using  the  full  sets  Fi  as  defined  in 
the  introduction.  The  pushing  stage  proceeds  as  in  IC3,  with 
the  following  exceptions.  First,  bad  lemmas  are  not  pushed. 
This  has  two  positive  effects.  The  primary  effect  is  conserving 
resources  by  not  propagating  lemmas  that  have  no  chance  to 
be  in  the  final  invariant.  A  secondary  effect  is  that  as  the  new 
lemmas  are  learned,  they  are  less  dependent  on  the  currently 
known  bad  lemmas.  Second,  the  lemmas  are  pushed  arbitrarily 
far  past  the  current  depth  N.  In  particular,  in  the  last  iteration 
of  the  outer  /or-loop,  all  lemmas  at  level  k  are  pushed  to  the 
next  frame.  In  this  case,  the  //'-condition  on  line  3  is  true,  and 
all  lemmas  of  F^+i  are  added  to  F^.  It  is  easy  to  see  that 
after  Quip_Push,  F0 0  contains  the  maximal  inductive  subset 
of  all  lemmas  in  the  system.  If  f  A-  implies  —Had,  i.e.,  F^ 
represents  a  safe  inductive  invariant,  then  Quip_Push  returns 
Proof. 


D.  Managing  reachable  states 

Efficiently  handling  reachable  states  poses  additional  chal¬ 
lenges.  Currently  we  represent  reachable  states  explicitly,  and 
as  their  number  grows  large,  the  time  taken  by  Intersect 
and  the  memory  required  for  their  storage  become  significant. 
However,  our  experience  shows  that  many  of  the  reachable 
states  can  be  removed  without  much  sacrificing  the  number 
of  may-proof-obligations  pruned  or  the  quality  of  lemmas 
discovered,  and  that  the  newly  discovered  states  are  more 
likely  to  be  useful  in  the  immediate  future.  Thus  our  solution 
mimics  the  clause  deletion  strategy  as  used  in  a  SAT  solver: 
for  each  reachable  state  we  keep  its  activity  representing  how 
many  times  the  state  was  a  witness  for  intersection,  and  we 
periodically  decay  this  activity  and  aggressively  delete  the  less 
active  states.  Furthermore,  as  in  our  current  implementation 
most  of  the  time  on  managing  lemmas  is  spent  during  the 
inductive  generalization  (making  sure  that  a  learned  lemma 
includes  all  the  states  in  Reach),  we  have  found  it  further 
beneficial  to  consider  even  fewer  reachable  states  during  the 
generalization. 

It  may  also  be  possible  to  compute  partial  states  directly 
from  the  Successor  query,  or  to  represent  reachable  states 
symbolically  by  computing  minimal  DNF  representation  of  R. 
An  alternative  way  to  take  reachable  states  into  account  is  to 
include  them  directly  in  F0.  Another  optimization  is  to  check 
whether  a  given  may-obligation  is  one-step  reachable  from  R. 
However,  we  have  found  both  of  these  difficult  to  implement 
efficiently.  Finally,  it  might  also  be  useful  to  push  reachable 
states  forward  more  aggressively,  for  example,  by  running  a 
simulation  from  already  known  reachable  states. 

V.  Alternatives 

In  this  section,  we  present  two  alternative  implementations 
of  Quip,  which  illustrate  the  variety  of  possibilities  offered  by 
our  framework.  Unfortunately,  for  the  reasons  discussed  below, 
both  of  these  variants  are  not  yet  consistently  performing.  We 
sketch  how  they  could  be  improved  in  the  future. 

A.  Reset-free  approach 

Both  IC3  and  Quip  as  described  previously  implicitly 
reset  the  queue  of  proof  obligations  each  time  that  a  new 
depth  is  explored.  An  interesting  alternative  in  Quip  is  as 
follows.  (1)  Allow  to  enqueue  proof-obligations  at  any  level 
(and  not  only  up  to  N)  by  removing  the  //'-condition  on  line  20 
of  Quip_RecBlockCube.  (2)  Check  whether  F \  =  Fk+i 
each  time  that  a  lemma  is  successfully  pushed  from  Fk  to 
a  higher-frame  (or  simply  each  time  that  a  proof  obligation 
at  level  k  +  1  is  successfully  blocked);  if  Fk  =  Fk+ 1, 
then  grow  the  set  F^  to  Fk,  and  check  the  termination 
condition  i7^  =>  -i Bad .  (3)  Replace  Quip_Main  by  a 
single  call  to  Quip_RecBlockCube(5od,  1).  In  this  way, 
the  negation  of  every  unknown  lemma  in  the  system  is  always 
present  as  a  proof  obligation  at  the  corresponding  frame  and 
the  external  pushing  stage  can  be  avoided  altogether.  This 
alternative  procedure  takes  to  the  extreme  the  idea  of  pushing 
every  lemma  in  the  system  as  far  as  possible,  and  arguably 
results  in  an  even  simpler  overall  algorithm.  However,  a 
preliminary  experimental  evaluation  shows  that  this  scheme 
performs  worse  in  practice.  One  possible  explanation  is  that 


TABLE  I.  Summary  of  experimental  results 


UNSAFE  solved 

UNSAFE  time 

SAFE  solved 

SAFE  time 

IC3 

22  (2) 

52,302 

76  (7) 

137,244 

Quip 

32  (12) 

20,302 

99  (30) 

69,590 

Experimental  results  on  the  instances  solved  by  either  IC3  or  Quip  separated  into 
unsafe  and  safe  instances.  The  numbers  in  parentheses  represent  the  unique  solves.  The  ,, — s 

times  are  in  seconds.  £3 

co 

CLh 
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periodically  resetting  the  proof  obligation  queue  keeps  proof  O’ 
obligations  more  focused  to  proving  the  property,  while  the 
procedure  above  equally  handles  the  “main”  lemmas  and  the 
“supporting”  lemmas  (and  the  supporting  lemmas  for  the 
supporting  lemmas,  and  so  on).  A  possible  solution  would  be  to 
define  some  additional  criteria  for  proof  obligations  reflecting 
their  expected  usefulness,  and  to  take  these  into  account  when 
choosing  the  next  proof  obligation. 

B.  Garbage-collecting  bad  lemmas 

We  can  use  the  classification  of  all  lemmas  into  good ,  bad 
and  unknown  to  periodically  remove  all  the  bad  lemmas  from 
the  system.  However,  as  bad  lemmas  may  be  supporting  other 
unknown  lemmas,  we  cannot  simply  remove  bad  lemmas  from 
their  corresponding  frames.  Instead,  we  can  keep  all  the  good 
lemmas  in  F^,  put  all  the  unknown  lemmas  into  F\ ,  and  use 
Push  to  push  the  unknown  lemmas  as  far  as  possible.  We  have 
found  that  during  this  pushing  stage  it  is  important  to  preserve 
the  set  of  lemmas  as  much  as  possible,  which  requires  to 
disable  both  the  additional  generalizing  capability  of  pushing 
and  the  built-in  subsumption  mechanism  for  storing  lemmas. 

Note  that  we  might  also  need  to  decrease  the  current  bound  N 
at  which  the  property  is  proved.  A  preliminary  experimental 
evaluation  shows  that  this  variant  usually  allows  Quip  to 
converge  at  a  smaller  depth,  and  in  some  cases  leads  to  a 
significant  speedup.  However,  it  is  also  true  that  applying 
“garbage  collection”  too  aggressively  on  average  leads  to  a 
significant  performance  degradation,  and  an  ongoing  work  is 
to  find  the  a  good  heuristic  for  when  to  apply  it  and  how 
to  properly  combine  it  with  the  resetting  of  reachable  states 
described  in  Section  HVl 

VI.  Experiments 

In  this  section,  we  present  our  experimental  results.  We 
compare  Quip  with  a  custom  variant  of  IC3,  as  implemented 
in  the  IBM  formal  verification  tool  Rulebase-Sixthsense  IB- 
All  experiments  were  performed  on  a  2.13Ghz  Linux-based 
machine  with  Intel  Xeon  E7-4830  processor,  16GB  of  RAM, 
and  one  hour  time  limit.  We  have  used  300  single  property 
designs  from  the  HWMCC’13  and  HWMCC’14  benchmark 
sets.  These  are  obtained  by  removing  duplicates  and  instances 
solved  using  standard  logic  synthesis  (similar  to  the  &dc2 
command  in  ABC  CD)- 

The  overall  results  are  shown  in  Table  Q]  The  columns 
“UNSAFE  solved”  and  “SAFE  solved”  show  that  number  of 
unsafe  and  safe  instances,  respectively,  solved  by  either  IC3 
or  Quip.  The  numbers  in  parentheses  represent  the  number  of 
instances  not  solved  by  the  other  configuration.  The  columns 
“UNSAFE  time”  and  “SAFE  time”  represent  the  cumulative 
time  in  seconds  for  unsafe  and  safe  properties,  respectively. 
According  to  our  experiments,  either  IC3  or  Quip  was 


IC3  v.s.  Quip  on  HWMCC’13  and  T4 


1  10  100  1000 

IC3  (secs) 

Fig.  6.  Run-time  comparison  between  IC3  and  Quip.  Points  below  the 
diagonal  are  in  favor  of  Quip.  The  scale  is  logarithmic.  Diagonals  mark  an 
order  of  magnitude.  Timeout  is  3,600  seconds. 


TABLE  II.  Data  on  reachable  states  discovered  byquip 


#  reach,  states 

0-10 

11-100 

101  -  IK 

IK  -  10K 

10K  -  50K 

#  instances 

42 

19 

29 

32 

9 

#  unique  solved 

1 

1 

10 

22 

8 

successful  on  34  unsafe  instances  and  106  safe  instances.  In 
the  remaining  160  instances  both  IC3  and  Quip  timed  out. 
We  can  see  that  Quip  is  clearly  superior  to  IC3  on  both  safe 
and  unsafe  problems,  solving  more  properties  and  running  in 
roughly  half  of  the  time. 

A  more  detailed  comparison  between  IC3  and  Quip  is 
shown  on  the  scatter  plot  in  Fig.  [6]  Only  the  140  instances 
solved  by  at  least  one  tool  are  shown.  For  instances  solved 
by  both,  the  run  time  is  similar,  with  an  advantage  for  Quip 
Sometimes,  the  advantage  is  over  an  order  of  magnitude.  Quip 
shines  on  harder  instances  and  is  able  to  solve  significantly 
more  of  them  than  IC3. 

Finally,  we  give  some  intuition  on  the  total  number  of 
reachable  states  typically  discovered  by  Quip  and  whether 
these  states  are  useful  for  verification.  Table  |II]  contains  the 
data  for  the  131  instances  solved  by  Quip,  including  the  42 
instances  not  solved  by  IC3.  In  the  table,  the  row  “#reach. 
states”  represents  a  range,  the  row  “#instances”  specifies  the 
number  of  instances  solved  by  Quip  with  the  total  number  of 
reachable  states  in  this  range,  and  the  row  “#unique  solves” 
further  specifies  the  number  of  instances  solved  uniquely  by 
Quip.  For  example,  the  third  column  means  that  29  instances 
solved  by  Quip  required  between  101  and  10,000  reachable 
states,  and  10  out  of  29  are  not  solved  by  IC3.  We  draw 
two  conclusions.  First,  even  though  we  use  concrete  reachable 
states  (i.e.,  complete  assignment  to  all  state  variables),  rela¬ 
tively  few  states  had  to  be  discovered.  Second,  the  advantage 
of  Quip  over  IC3  is  especially  pronounced  as  the  number 
of  learned  reachable  states  increases.  For  example,  from  the 
61  instances  where  Quip  required  less  than  100  reachable 
states,  only  2  are  not  solved  by  IC3.  However,  from  the  set 
of  9  instances  where  Quip  finds  more  than  10,  001  reachable 
states,  8  (i.e.,  all  but  1)  are  not  solved  by  IC3. 


VII.  Related  Work 


References 


Computing  Maximal  Inductive  Subset  (MIS)  is  a  well- 
known  problem  in  both  hardware  and  software  verification 
(e.g.,  JIT),  1 13}).  Applying  MIS  to  enlarge  in  IC3/PDR 
is  already  suggested  in  |2j,  but  it  was  not  effective  since  the 
cost  of  computing  an  MIS  out-weighted  the  gains.  In  Quip, 
the  MIS  computation  is  amortized  by  not  limiting  Quip/Push 
rule  to  the  current  bound  N  (for  comparison,  see  I C  3/Push 
in  Fig.  [TJ  and  by  discovering  MIS  opportunistically  using 
Quip/MaxIndSubset.  Thus,  even  if  the  MIS  computation  is 
unsuccessful  and  no  new  lemmas  are  added  to  F^,  the  trace 
is  strengthened  for  the  future  runs  of  the  algorithm.  In  our 
experience,  extending  IC3  in  this  way  is  beneficial  regardless 
of  the  other  Quip  rules. 

Blocking  states  that  are  not  necessarily  backward  reachable 
from  an  error  state  and  separating  proof  obligations  into  may 
and  must  was  proposed  in  the  context  of  IC3-based  abstraction 
refinement  [i4).  The  idea  is  also  implicitly  present  in  computa¬ 
tion  of  minimal  inductive  clauses  |3  j  and  predicate-abstraction- 
based  extensions  of  IC3  to  software  m  HD-  In  contrast  to 
the  above  algorithms.  Quip  seamlessly  integrates  must  and 
may  reasoning  into  one  algorithmic  procedure  without  any 
specialized  refinement  steps.  More  significantly.  Quip  uses 
the  reachable  states  that  witness  a  failure  of  a  /nay- proof 
obligation  to  improve  future  lemma  generalization.  Thus,  both 
proving  and  disproving  a  may-proof-obligation  is  beneficial  to 
the  overall  algorithm. 

Extracting  forward  reachable  states  from  spurious  coun¬ 
terexamples  also  appears  in  NewItp  as  states  to  re¬ 
finement  in  the  context  of  interpolation-based  model  check¬ 
ing.  Similar  to  Quip,  these  states  are  used  to  guide  fu¬ 
ture  interpolants  to  avoid  reachable  states.  In  essence.  Quip 
computes  both  an  over-approximation  (lemmas)  and  under¬ 
approximation  (Reach)  of  reachable  states.  This  can  be  seen 
as  an  extension  of  over-  and  under-approximations  used  in 
Spacer  )6j  from  modular  to  monolithic-proofs.  The  key 
difference  is  that,  SPACER  under-approximates  summaries  of 
procedures  and  not  states  reachable  from  an  initial  state. 

Interestingly,  CTI’s  of  Reverse  IC3  ED  -  a  dual 
variant  of  IC3  that  recursively  enumerates  states  reachable 
from  Init  and  that  learns  an  over-approximation  of  states 
backwards  reachable  from  Bad  -  are  forward  reachable  states. 
Thus,  it  might  be  possible  to  combine  IC3  and  Reverse 
IC3  into  an  algorithm  that  computes  both  forward  and  back¬ 
ward  reachable  states  and  their  over-approximations,  somewhat 
akin  to  DAR  ED-  Although  DAR  is  restricted  only  to  over¬ 
approximations. 

VIII.  Conclusions 

In  this  paper,  we  present  an  improvement  to  the  core  of 
the  IC3  algorithm.  We  propose  an  approach,  called  Quip, 
that  is  designed  to  propagate  learned  lemmas  more  aggres¬ 
sively,  and  whose  implementation  seamlessly  integrates  must 
and  may  proof-obligations  and  forward  reachable  states.  The 
experimental  results  show  that  a  naive  implementation  of 
Quip  significantly  outperforms  a  highly-tuned  implementation 
of  IC3/PDR.  We  believe  that  the  new  reasoning  capabilities 
introduced  in  Quip  open  up  many  opportunities  for  further 
improvements  to  SAT-based  automated  verification. 
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